As introduced in a previous post, I have been using a $199 Netgear R7800 consumer router/AP (running DD-WRT) for performing packet wireless packet captures. Here is a little more detail on the process:

Step 2: SSH to the R7800. Use the iw command to determine which radio has 5 GHz support. First, use “iw phy” to list the details of all physical interfaces. Then, use “iw dev” to list the device to physical interface mappings. On my R7800, phy#0 has 5 GHz support and is represented by device ath0.

Step 3: Put the desired device into monitor mode and set the channel. In this example, I am using ath0 and channel 155 (5745 MHz center of the first channel 149, 80 MHz wide, and 5775 MHz center of the entire 80 MHz channel).

Step 4: Begin the capture. Here, I am saving the capture file to the ramdisk at /tmp. This particular device has only about 400 MB available, so I’m going to only capture for less than 10 seconds. After issuing the command below, press CTRL-Z to stop the capture.

root@DD-WRT:~# tcpdump -i ath0 -n -w /tmp/capture1.pcap

Step 5: Move the capture to a PC for analysis. I could use a flash drive and copy the file that way, but I already have tftp64 running on my PC for some Cisco firmware updates, so I will use tftp. 192.168.44.9 is the IP of my PC.

root@DD-WRT:~# tftp -l /tmp/capture1.pcap -p 192.168.44.9

Note: High data rate captures can become large in a hurry. This 6.3 second capture is about 237 MB in size. A quick look in Wireshark shows most of the frames were transmitted at VHT MCS 7 with 2 spatial streams, 585 Mbps rate.

For part of a class I am teaching, I am walking the students through building two managed Wi-Fi systems: one based on a Cisco WLC and one based on MikroTik CAPsMAN. Both have their pros and cons, but the really exciting part about the MikroTik system is the low barrier to entry in terms of cost and time. I hope to document some of the project on this blog to share some pointers and configuration examples.

This test bench example setup consists of a MikroTik RouterBoard hEX PoE (a router with 4 PoE outputs), two MikroTik wAP ac (2 dBi omnidirectional dual band 3×3:3 802.11a/b/g/n/ac) and a MikroTik SXT SA 5ac (14 dBi 90-degree sector single band 2×2:2 802.11a/n/ac). All pieces, including the router, can operate on 12 – 57 volt passive PoE. In fact, the entire 4 piece ensemble was consuming just 14.7 watts @ 49 volts at the time these photos were taken (PoE provided via port 1 on the router, generic 48v injector is outside of the frame between the router and the upstream Internet source).

Performing an 802.11 packet (frame) capture from a AP is nothing new. But sometimes an extra AP isn’t available or there is a desire for a lower cost alternative. What looks like a wedge-shaped battle bot but can capture those 3×3 MIMO frames for $199? Why, this piece of heavy duty marketing… when running different software.

The WiFi Pineapple Tetra is one of my favorite inexpensive wireless tools, but it is limited to 2×2 802.11n at best. Installing a very recent build of DD-WRT on the Netgear R7800 allows for many of the same functions using an Atheros 4×4:4 802.11ac radio, albeit in a more primitive manner. Both iw and tcpdump are included in the base DD-WRT environment, so the usual commands for gathering basic site survey information and performing packet captures are available immediately. I do not have any USB storage devices fast enough to store a real time 300+ Mbps (37.5+ MB/s) capture, but the R7800 does have 512 MB ram, about 400 MB of which is free, so I generally capture as much as 350 MB to the /tmp ramdisk first and later copy the pcap to an external storage device. I can post some more detailed instructions if there is interes

For larger or more critical WLANs, I primarily use Cisco APs and WLCs. I’ve had many successes with Cisco and am comfortable installing their equipment in challenging environments. But for smaller networks or when cost a major concern, I often turn to MikroTik for a CAPsMAN-managed solution.

There is no shortage of CAPsMAN tutorials online, but many skip past some of the more handy features, especially those involving access lists. I hope to post more many examples in the future, but for now, here is one I use fairly often with IoT devices in a home or small office environment: per-device Private Passphrase.

To configure via the WinBox GUI, add a new item in the Access List tab of the CAPsMAN window. Use the MAC address of the wireless client. This can also be done by using the “Copy to Access List” button in the details window of an already-associated client from the Registration Table tab.

Once the client has been identified, additional parameters can be added. In this example, I specified the 5 GHz Lobby interface as this device is 5 GHz capable and happens to be located near that specific AP. The device-specific PSK can entered in the field below. Changes are applied immediately upon clicking Apply or OK.

To prevent the device from associating to another AP on the system, and to keep it from using 2.4 GHz on the lobby AP, I have added an explicit reject rule below the PSK rule.

Cisco has posted information about the upcoming WLC 8.2MR5 (future 8.2.150) release. While the newest WLC release train is the 8.3 series, the current TAC recommended version is 8.2.x and this update addresses quite a few bugs and may be worth investigating or at least keeping and eye on.

It’s no secret that I am a fan of MikroTik products for low- to mid-range layer 3 router tasks. MikroTik’s RouterOS is based on Linux, not unlike many other router appliances, and has a similarly wide feature set. The low cost of most MikroTik devices means I can easily build a full switch and router test lab for less than the cost of a single Cisco AP, freeing time and money for layer 1 and 2 challenges.

The only way to learn RouterOS is to purchase a RouterBoard and get your hands dirty. Download winbox, browse the release notes, explore the forums, search the wiki, and challenge yourself to build many different configs. Please, please, please use Winbox. The RouterOS web interface is helpful in a pinch, but is nowhere near as nice to use as the Winbox client. And as much as I love the CLI, the Winbox GUI is much more conducive to exploring than stumbling around in an alien text environment (the RouterOS CLI is nothing like Cisco IOS). I have successfully used Winbox in Windows versions XP through 10, and in Linux and Mac OS X via wine. You may have to tinker with wine font settings, but it will work fairly well on most versions of Linux and OS X.

The MikroTik User Meetings, or MUMs, are regional conferences full of presentations and vendor exhibits. The MUM Archive is a great place to browse slides and videos from past MUM presentations, some of which are linked below.

As a cheap thrifty person, I enjoy finding flexible and low-cost tools to use and share with others. The MikroTik RouterBoard family has a lot to offer in the $50 – $100 range and is often found in my toolkit. While I am a fan of products from NetScout, Ekahau, and MetaGeek, I do use MikroTik equipment for the occasional test, especially in situations where I have to leave equipment in place in my absence.

/interface/wireless/spectral-scan and spectral-history provide a quick overview of RF conditions:

Spectral-scan is a live view, while spectral-history is a low resolution waterfall graph. Both can be utilized remotely via telnet, ssh, winbox, and The Dude.

For the occasional wireless packet capture can be performed using the Wireless Sniffer feature. These can be saved to internal flash, external USB storage, or streamed via TZSP to a remote protocol analyzer such as Wireshark.

Selecting the desired frequency range is less than obvious. One easy method is to partially configure the wireless interface as a station. SSID doesn’t matter, but be sure to specify the band, width, and frequency.

Navigating the many versions of Cisco wireless software can become a headache. I often use the newest versions, especially when working with the latest Cisco APs (such as the new 2802i). This is not always practical or possible, especially when working in an existing environment where specific versions may be required for compatibility or stability reasons. The Cisco Wireless Solutions Software Compatibility Matrix has cross referenced lists of AP, WLC, MSE, Prime, and other related component versions.

I often use MikroTik routers for DHCP, NAT, management VPN, and other tasks for the WLANs I manage. Utilizing DHCP Option 43 to provide Cisco APs with the IP address of the WLC(s) helps simplify the AP provisioning process. The MikroTik RouterOS configuration segment below is a glimpse of how I accomplish this.

The only potential gotcha is the format of the hex string value. Per the Cisco WLC documentation, the string always starts with 0xf1, followed by the length of the IP address lists expressed in number of octets. In this example, I have just one IP address for one WLC, so that number is 04 (one IPv4 address is made up of 4 octets). The remainder of the string, ac14640c, refers to the IP address 172.20.100.12, the WLC. A simple decimal to hex calculator can help with this conversion. Decimal 172 is hex ac, decimal 20 is hex 14, and so on. Note that single-digit values must be padded with a leading zero: decimal 12 is hex c, padded with a leading zero to become 0c.